Configuring the VPN Client and Server to Support Certificate-Based PPTP EAP-TLS Authentication — Part 2
by Thomas W Shinder, M.D.
In the first part of their two part article we went over the principle that government the level of security afforded to L2TP/IPSec and PPTP connections. You saw that L2TP/IPSec provides the highest level of security for the encryption algorithm used by a VPN protocol. However, we also discovered the primary security concern with PPTP is related to password complexity and that password complexity issues could be obviated by using EAP/TLS certificate-based authentication.
The procedures required to make the whole thing work include:
You can go to http://isaserver.org/tutorials/installon2003.html and get instructions on how to install ISA 2000 on Windows Server 2003. Last week in the first part of this article we installed IIS 6.0 and an enterprise CA on a domain controller on the internal network. We also installed the RADIUS server. This week we’ll finish up by creating a VPN Remote Access Policy, configure the ISA firewall/VPN server to use RADIUS for authentication, issue a client certificate to the VPN client and configure the VPN client to use certificate-based EAP/TLS authentication.
Let’s continue with putting together our PPTP certificate-based EAP/TLS authentication infrastructure.
Creating RRAS Policy on the RADIUS Server
Perform the following steps to create a RRAS policy stored in the IAS Server:
- The last step in configuring the IAS Server is to create a Remote Access Policy for the VPN clients. We’ll use the Remote Access Policy Wizard to help us with this task. In the Internet Authentication Service console, right click on the Remote Access Policies node and click the New Remote Access Policy command.
- Click Next on the Welcome to the New Remote Access Policy Wizard page.
- On the Policy Configuration Method page, select the Use the wizard to set up a typical policy for a common scenario option. In the Policy name text box, type in a name for the policy. In this example, we’ll call it VPN Access Policy. Click Next.
- Select the VPN option on the Access Method page. Click Next.
- You can grant access to the VPN server based on user or group. The best method to control access is on a per-group basis because its easier to manage and confers less administrative overhead. You can create a group such as VPN Users and allow them access, or all your users access. It depends on who you want to access the network via VPN. In this example, we’ll select the Group option and click the Add button. This brings up the Select Groups dialog box. Type in the name of the group in the enter the object name to select text box and click the Check names button to confirm you entered the name correctly. Click OK in the Select Groups dialog box and then click Next.
- You can select the user authentication methods to allow on the Authentication Methods page. You may wish to allow both Microsoft Encrypted Authentication version 2 and Extensible Authentication Protocol (EAP). In this example we’ll allow only EAP as we wish to run a highly secure environment and we are able to assign all our clients use certificates. Select only the Extensible Authentication Protocol (EAP) checkbox and then click the down arrow in the Type (based on method of access and network configuration) drop down list box and select the Smart Card or other certificate open. Click the Configure button. In the Smart Card or other Certificate Properties dialog box you can select the certificate you want the server to use to identify itself to VPN clients. The self-signed certificate appears in the Certificate issued to drop down list box. This certificate will be used to identify the server. Click OK in the Smart Card or other Certificate Properties dialog box and then click Next.
- Select the level(s) of encryption you want to enforce for the VPN connections. Most environments now support 128 bit encryption for PPTP, so we’ll select that option in this example. If all your clients don’t support 128 bit encryption, select lower levels. Click Next.
- Review your settings on the Completing the New Remote Access Policy Wizard page and click Finish.
Configuring the ISA Firewall/VPN Server to use RADIUS for Authentication
You can configure the ISA Server firewall and VPN server to use RADIUS and EAP/TLS authentication now that we have the IAS Server and RAS Policy on the IAS Server in place. Perform the following steps to configure the ISA Server firewall VPN server:
- Make sure that you have enabled the ISA Server firewall as a VPN Server.
- In the Microsoft Firewall and VPN for Appliances 2003 Management console, expand the VPN and Routing node in the left pane of the console and then right click on the Routing and Remote Access node. Click on the Properties command.
- In the Routing and Remote Access Properties dialog box, click on the Security tab. On the Security tab, click the down arrow in the Authentication provider drop down list box and select RADIUS Authentication. Click on the Authentication Methods button. In the Authentication Methods dialog box, put a checkmark in the Extensible authentication protocol (EAP) checkbox and remove the checkmarks from the Microsoft encrypted authentication versions 2 (MS-CHAP v2) and Microsoft encrypted authentication (MS-CHAP) checkboxes. Click OK in the Authentication Methods dialog box.
- Click the Configure button that lies to the right of the Authentication provider drop down list box. In the RADIUS Authentication dialog box, click the Add button. In the Add RADIUS Server dialog box, type in the FQDN or IP address of your IAS Server on the internal network. Make sure that you ISA Server firewall VPN server can resolve the FQDN of the IAS Server to the correct IP address. If you are not sure if the ISA Server firewall VPN server can correctly resolve the FQDN of the ISA Server firewall VPN server, use the IP address instead. Click the Change button that lies to the right of the Secret text box. Type in the shared secret you configured on the IAS Server, and then confirm the shared secret. Put a checkmark in the Always user message authenticator checkbox. Click OK in the Change Secret dialog box, then click OK in the RADIUS Authentication dialog box. Click Apply and then click OK in the Routing and Remote Access Properties dialog box.
- Click No in the Routing and Remote Access dialog box that informs you that you selected one or more authentication methods and would you like to view the Help topic.
- Click OK in the Routing and Remote Access dialog box that informs you that you must restart the Routing and Remote Access.
- Click OK in the Routing and Remote Access Properties dialog box.
- Right click on the Routing and Remote Access node in the left pane of the console, point to the All Tasks command and click the Restart command.
Issuing a User Certificate to a VPN Client
The last step is to assign the VPN client a user certificate and configure the VPN connectoid to use the user certificate. There are several ways to obtain a user certificate from a Windows Server 2003 Certificate Server, but the Web enrollment site is the most accessible. In this example we will obtain a user certificate from a Windows 2000 computer running Internet Explorer 6.0.
Perform the following steps to obtain the user certificate:
- Open Internet Explorer and type http://
/certsrvinto the address bar, where is the IP address of the certificate server on the internal network. Click Go.
- Type in your credentials into the Enter Network Password dialog box and click OK.
- Click the Request a certificate link on the Microsoft Certificate Services Welcome page.
- Click the User Certificate link on the Request a Certificate page.
- If you are presented with a Security Warning dialog box asking if you want to install and run the Microsoft Certificate Enrollment Control, click Yes. Repeat if you are presented with this dialog box a second time. Click the Submit button on the User Certificate – Identifying Information page. Click Yes on the Potential Scripting Violation dialog box that warns you that the Web site is requesting a new certificate on your behalf and that you should only allow this if you trust the site.
- Click the Install this certificate link on the Certificate Issued page. Click the Yes button on the Potential Scripting Violation page that warns you that the Web site is adding one or more certificates to your computer. Click Yes on the Root Certificate Store dialog box that asks if you want to add the certificate to the Root Store.
- Close the browser after you see the Certificate Installed page.
Creating the VPN Connectoid
You need to create a Dial-up Networking connectoid (DUN connectoid) to connect to the ISA firewall/VPN server. Perform the following steps to create the VPN connectoid on the VPN client machine.
Note: In this example we’ll create the VPN connectoid on a Windows 2000 Professional computer:
- Right click on the My Network Places icon on the desktop and click the Properties command.
- Double click on the Make New Connection icon in the Network and Dial-up Connections dialog box.
- Click Next on the Welcome to the Network Connection Wizard page.
- On the Network Connection Type page, select the Connect to a private network through the Internet option. Click Next.
- On the Destination Address page, type in the IP address or the FQDN for the VPN server. Click Next.
- On the Connection Availability page, select the Only for myself option. This is the most secure option because the logged on user’s account must be logged on before this VPN connectoid can be accessed. Click Next.
- Do not enable Internet Connection Sharing on the Internet Connection Sharing page. One thing you definitely do not want is one of your users to share the private VPN link with everyone on his home network. Click Next.
- Click Finish on the Completing the Network Connection Wizard page.
- Now we need to bind the user certificate to the VPN dial up connectoid. The Connect Virtual Private Connection dialog box appears. Click the Properties button.
- In the Virtual Private Connection dialog box, click on the Security tab. Select the Advanced option and click on the Settings button.
- In the Advanced Security Settings dialog box, select the Use Extensible Authentication Protocol (EAP) option. Make sure the Smart Card or other Certificate (encryption enabled) option is selected in the drop-down list box. Click the Properties button.
- The Smart Card or other Certificate Properties dialog box has a number of useful options. Since we are using a user certificate instead of a username and password for authentication, select the Use a certificate on this computer option. We can improve security by selecting the Validate server certificate option. When you select that option, the client will check whether the server certificate has expired during the certificate exchange process (the VPN client presents its certificate to the VPN server and the VPN server [in this case, the RADIUS server] presents its certificate to the VPN client). Place a checkmark in the Connect only if server name ends with checkbox. This will cause the VPN client to confirm that the correct domain name is included in the VPN server certificate. If the VPN server certificate does not contain the domain name you type into this text box, the connection attempt will fail. Click the down arrow in the Trusted root certificate authority drop down list box and select the CA that provided the user certificate to the VPN client. The improves security in that you explicitly specify which CA is trusted as the root CA for this VPN connection. Click OK in the Smart Card of other Certificate Properties dialog box.
- Click OK in the Advanced Security Settings dialog box and then click OK in the Virtual Private Connection dialog box.
- The truncated Connect Virtual Private Connection dialog box appears. Note that this connection dialog box doesn’t allow you to enter a username or password. The reason is that you don’t need to! The user has already obtained a certificate that confirms his identity. Even if someone were to learn this users username and password, it would not help that person because if you force certificate-based EAP/TLS authentication at the VPN server, the username and password won’t do that user any good at all.
- Click OK and you’ll make the connection. You can see that the connection is an L2TP/IPSec connection in this example. Its important to note that if you want to use L2TP/IPSec, you must assign a computer certificate to the VPN client and the ISA Server firewall VPN server. . Its important to realize that while the CA has a machine certificate and the VPN client has a user certificate, those certificates will not suffice to create a L2TP/IPSec connection. However, you will be successful
While L2TP/IPSec is the VPN wave of the future, I suspect that PPTP will continue to live on for quite some time. You can now make your PPTP VPN connection eminently secure by using EAP/TLS certificate based authentication. In this two part article we went over all the steps required to make this happen. I highly recommend that you set up a test lab and prove to yourself that EAP/TLS certificate-based authentication works for VPN clients. You can then roll out the EAP/TLS PPTP infrastructure after you’ve got it working in the lab. Good luck and let me know if you have any questions or problems.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001620 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom